The presentation discusses the vulnerabilities found in DDS implementations and the importance of fuzzing and white box application browsing in cybersecurity.
- DDS implementations have vulnerabilities that can be exploited through reflection or amplification attacks
- Fuzzing and white box application browsing are important in identifying vulnerabilities
- The serializer and deserializer functions are good targets for fuzzing
- The presentation emphasizes the need for better serialization practices in programming languages
- The importance of finding the desired spin in code to avoid garbage information in fuzzing is highlighted
The presenter found that changing IPs to random addresses in their testing caused some implementations to send packets uncontrollably, leading to the discovery of a reflection or amplification attack that affects all implementations. The issue was submitted to the ONG and some implementations have been patched, but the presenter emphasizes the need for better standards in the next revision.
We discovered and disclosed vulnerabilities in most of the OMG Data Distribution Service (DDS) implementations. DDS enables crucial technologies like autonomous driving, healthcare machinery, military tactical systems, or missile launch stations. Notably, DDS is used by NASA at the KSC, by SIEMENS for smart grid applications, by Volkswagen and Bosch for autonomous valet parking systems, by NAV CANADA for ATC, and by the Robot Operating System 2 (ROS2) to control industrial and consumer robots.Designed around industrial-level requirements, DDS sits deep in the control network, allowing an arbitrary number of endpoints like sensors or actuators to communicate transparently, with an abstract API based on familiar data type specifications (e.g., C structs) and simple function calls, regardless of the complexity of the data.We approached DDS from the bottom up, and we will show you how we wrote a Scapy layer to guide you through the packet structure. Although network fuzzing wasn't directly effective, it greatly helped us to master the tiny details of DDS. This led us to find an amplification vulnerability in the standard, which allows an attacker to redirect flood an arbitrary host. DDS configuration is highly dependent on XML, JSON, YAML, or similar formats, which make them another attack vector. By writing a Radamsa-based file fuzzer we found a parsing vulnerability in RTI DDS Connector, so an attacker can use a malicious configuration file to gain initial access. We then focus on fuzzing the message interpretation routines in all implementations. Using concrete examples, we explain how to pick good fuzz targets and prepare them for popular frameworks like OSS-Fuzz and UnicornAFL.We take you from knowing nothing about DDS to efficiently researching new vulnerabilities, which we encourage other researchers, DDS users and implementors to do. We report on our interactions with some of the DDS implementors, which we believe is the first concrete step towards securing this critical protocol in the long run. We release fuzzing harnesses and a Scapy layer to decode the DDS RTPS layer.